Monday, April 15, 2013

One unobvious reason that the Struts2 DOJO datetimepicker may not be setting the appropriate attribute within your action may be because your theme of your s:form may be set to simple. Try not specifying the theme.

Tuesday, December 6, 2011

Recently a customer of mine had a virus on his computer called Win 7 Security 2012.
This Win 7 Security 2012 is a rogue anti-spyware application, which is often downloaded and installed by a Trojan, through browser security holes or via other unconventional unethical mechanisms. Once installed, Win 7 Security 2012 will display notifications of imaginary security and privacy risks in its attempts to get the user to purchase the full version and may generate system slowdown and instability. This program is extremely difficult to manually remove.
I noticed that this customer also had McAfee Security Center running and updated. I ran the scan and McAfee did not pick up this malware. Two thumbs down. I was able to find a free anti-virus to remove this virus available online.
If you are struggling with fixing this virus, let me know of your problems by commenting below and I'll be sure to get back to you.

It is a standard security practice to change the session identifier (JSESSIONID) after a successful login or authentication.

The attack scenario with this vulnerability is that a user can open a browser on a shared terminal and record the session identifier set by the application. Later when any other user of the system logs into the application without closing instances of that browser the same cookie will be used to track the victim's session.

Alternatively, if the application is susceptible to cross-site scripting on a publicly accessible page (most damagingly the home page), an attacker can use this vulnerability to learn the value of the session identifier, because the cookie does not change since it was first set. The attacker now knows the value of the session token can hijack the victim's session. This is a limited session fixation attack where the attacker does not have control over the value of the session identifier, but is able to know its value through various means before and after a user authenticates.

Most times, invalidating the session and creating a new one may suffice. However, if you are storing variables or objects, you may need to carry these variables or objects from the old session into the new session.

Below is a javax.servlet.Filter. This filter protects against the Session Fixation attacks described above. The filter looks for a specific session attribute, the (NEW_SESSION_INDICATOR) attribute. If one is found, the filter copies out relevant session data to a map, invalidates the session, creates a new session and loads the new session with the old session data.

The filter is simply mapped in your web.xml. Any place you successfully authenticate, an attribute is added to the session (NEW_SESSION_INDICATOR).

Wednesday, November 30, 2011

CAPTCHA can quickly and easily protect your web application against brute force and bot attacks or abuse. There are just a few simple steps to a CAPTCHA implementation in Java/JSP. The solution is simple and the documentation is quite clear, so I only provide the steps and quick links to those resources.

Step 1: Signup for a CAPTCHA account and generate keys for your website domains.
Navigate to http://www.google.com/recaptcha and signup for an account. After obtaining a login, generate keys for your domain.

Step 2: Find the developers guide for CAPTCHA
Navigate to http://code.google.com/apis/recaptcha/intro.html. From here, you'll find all the information you need. Notice in the left hand menu, there's a Java/JSP Plugin link available. Click into that.

Step 3: Download the Java/JSP Plugin and Implement
Navigate to http://code.google.com/apis/recaptcha/docs/java.html where you will find a link to download the plugin, which is a set of Java classes. Extract the source files into your web applications java source tree. The directions on the page are extremely straight forward.

Step 4: Give the JVM a time interval to refresh its DNS cache
By default the Java Virtual Machine (JVM) caches all DNS lookups forever instead of using the time-to-live (TTL) value which is specified in the DNS record of each host. To fix this issue for good, you can pass -Dsun.net.inetaddr.ttl=30 to your app-server (this tells Java to only cache DNS for 30 seconds).

Thursday, November 17, 2011

HTTP protocol defines eight methods that can be performed on a resource on the HTTP server. GET, POST and HEAD are the most common methods that are used to access information provided by a web server. The other methods such as OPTIONS, PUT, DELETE, CONNECT and TRACE are not normally used in the general operation of a web server can potentially pose a security risk for any web application. So it is good practice to restrict the response to specific HTTP Methods.

First, determine which HTTP Methods your installation is responding too. I use browser plug-ins that enable me to submit HTTP requests, specifying the URL and HTTP method. There are various plugins available for Chrome and Firefox and I do not make any recommendations here.

Second, according to your test results, configure your Tomcat installtion to not respond for certain HTTP Methods. This can be configured at the instance level by inserting a <security-constraint> element directly under the <web-app> element, in the installations web.xml file located at.
[tomcatinstallation]/conf/web.xml

The Java Secure Socket Extension (JSSE) enables secure Internet communications. It provides a framework and an implementation for a Java version of the SSL and TLS protocols and includes functionality for data encryption, server authentication, message integrity, and optional client authentication. Using JSSE, developers can provide for the secure passage of data between a client and a server running any application protocol, such as Hypertext Transfer Protocol (HTTP), Telnet, or FTP, over TCP/IP.

The https protocol is similar to http, but https first establishes a secure channel via SSL/TLS sockets and then verifies the identity of the peer before requesting/receiving data. javax.net.ssl.HttpsURLConnection extends the java.net.HttpsURLConnection class, and adds support for https-specific features. Upon obtaining a HttpsURLConnection, you can configure a number of http/https parameters before actually initiating the network connection via the method URLConnection.connect.

In some situations, it is desirable to specify the SSLSocketFactory that an HttpsURLConnection instance uses. For example, you may wish to tunnel through a proxy type which is NOT supported by the default implementation. The new SSLSocketFactory could return sockets that have already performed all necessary tunneling, thus allowing HttpsURLConnection to use additional proxies.

About the Author

Ed Song is a technology enthusiast specializing in web application development with open source technologies. His focus is mainly on project management and modern enterprise programming practices. Contact me for rates.